You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sql-database/sql-database-managed-instance-connectivity-architecture.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,52 +21,52 @@ This article provides the Azure SQL Database Managed Instance communication over
21
21
22
22
The following diagram shows entities that connect to Managed Instance as well as resources that Managed Instance has to reach out in order to function properly.
Communication that is depicted on the bottom of the diagram represent customer applications and tools connecting to Managed Instance as data source.
26
+
Communication that is depicted on the bottom of the diagram represents customer applications and tools connecting to Managed Instance as data source.
27
27
28
-
As Managed Instance is platform-as-a-services (PaaS) offering, Microsoft manages this service using automated agents (management, deployment and maintenance) based on telemetry data streams. As Managed Instance management is solely Microsoft responsibility customers are not able to access Managed Instance virtual cluster machines through RDP.
28
+
As Managed Instance is platform-as-a-services (PaaS) offering, Microsoft manages this service using automated agents (management, deployment, and maintenance) based on telemetry data streams. As Managed Instance management is solely Microsoft responsibility, customers are not able to access Managed Instance virtual cluster machines through RDP.
29
29
30
-
Some SQL Server operations initiated by the end users or applications may require Managed Instance to interact with the platform. One case where this is needed is creation of Managed Instance Database, a resource that is exposed through the portal, PowerShell and Azure CLI.
30
+
Some SQL Server operations initiated by the end users or applications may require Managed Instance to interact with the platform. One case is the creation of a Managed Instance database - a resource that is exposed through the portal, PowerShell, and Azure CLI.
31
31
32
-
Managed Instance depends on other Azure Services for its proper functioning (i.e. Azure Storage for backups, Azure Service Bus for telemetry, Azure AD for authentication, Azure Key Vault for TDE …) and initiates connections to them accordingly.
32
+
Managed Instance depends on other Azure Services for its proper functioning (such as Azure Storage for backups, Azure Service Bus for telemetry, Azure AD for authentication, Azure Key Vault for TDE, and so forth) and initiates connections to them accordingly.
33
33
34
-
All communications, stated above, are encrypted and signed using certificates. To make sure that communicating parties are trusted, Managed Instance constantly verifies these certificates by contacting Certificate Authority. If the certificates are revoked or Managed Instance could not verify them it closes the connections to protect the data.
34
+
All communications, stated above, are encrypted and signed using certificates. To make sure that communicating parties are trusted, Managed Instance constantly verifies these certificates by contacting Certificate Authority. If the certificates are revoked or Managed Instance could not verify them, it closes the connections to protect the data.
35
35
36
36
## High-level connectivity architecture
37
37
38
-
At the high-level Managed Instance is a set of service components, hosted on a dedicated set of isolated virtual machines that run inside the customer virtual network subnet and form a virtual cluster.
38
+
At a highlevel, Managed Instance is a set of service components, hosted on a dedicated set of isolated virtual machines that run inside the customer virtual network subnet and form a virtual cluster.
39
39
40
40
Multiple Managed Instances could be hosted in single virtual cluster. The cluster is automatically expanded or contracted if needed when the customer changes the number of provisioned instances in the subnet.
41
41
42
-
Customer applications could connect to Managed Instance, query and update databases only if they run inside the virtual network or peered virtual newtork or VPN / Express Route connected network using endpoint with private IP address.
42
+
Customer applications could connect to Managed Instance, query and update databases only if they run inside the virtual network or peered virtual network or VPN / Express Route connected network using endpoint with private IP address.
Microsoft management and deployment services run outside of the virtual network so connection between Managed Instance and Microsoft services goes over the the endpoints with public IP addresses. When Managed Instance creates outbound connection, on receiving end it looks like it’s coming from this public IP due to Network Address Translation (NAT).
46
+
Microsoft management and deployment services run outside of the virtual network so connection between Managed Instance and Microsoft services goes over the endpoints with public IP addresses. When Managed Instance creates outbound connection, on receiving end it looks like it’s coming from this public IP due to Network Address Translation (NAT).
47
47
48
-
Management traffic flows through the customer virtual network. That means that elements of virtual nework infrastracture affect and could potentially harm management traffic causing instance to enter faulty state and become unavailable.
48
+
Management traffic flows through the customer virtual network. That means that elements of virtual network infrastructure affect and could potentially harm management traffic causing instance to enter faulty state and become unavailable.
49
49
50
50
> [!IMPORTANT]
51
51
> To improve customer expirience and service availability, Microsoft applies Network Intent Policy on Azure virtual network infrastructure elements that could affect Managed Instance functioning. This is a platform mechanism to communicate transparently networking requirements to end users, with main goal to prevent network misconfiguration and ensure normal Managed Instance operations. Upon Managed Instance deletion Network Intent Policy is removed as well.
52
52
53
53
## Virtual cluster connectivity architecture
54
54
55
-
Let’s take a deeper dive in Managed Instance connectivity architecture. On a diagram below you could see conceptul layout of virtual cluster.
55
+
Let’s take a deeper dive in Managed Instance connectivity architecture. The following diagram shows the conceptual layout of the virtual cluster.
Clients connect to Managed Instance using the host name that has a form <mi_name>.<clusterid>.database.windows.net. This host name resolves to private IP address although it is registered in public DNS zone and is publicly resolvable.
59
+
Clients connect to Managed Instance using the host name that has a form <mi_name>.<clusterid>.database.windows.net. This host name resolves to private IP address although it is registered in public DNS zone and is publicly resolvable.
60
60
61
61
This private IP address belongs to the Managed Instance Internal Load Balancer (ILB) that directs traffic to the Managed Instance Gateway (GW). As multiple Managed Instances could potentially run inside the same cluster, GW uses Managed Instance host name to redirect traffic to the correct SQL Engine service.
62
62
63
-
Management and deployment services connect to Managed Instance using public endpoint that maps to external load balancer. Traffic is routed to the nodes only if received on predefined set of ports that are used exclusivly by Managed Instance management components. All communication between management components and management plane is mutualy certificate authenticated.
63
+
Management and deployment services connect to Managed Instance using public endpoint that maps to external load balancer. Traffic is routed to the nodes only if received on predefined a set of ports that are used exclusively by Managed Instance management components. All communication between management components and management plane is mutually certificate authenticated.
64
64
65
65
## Next steps
66
66
67
67
- For an overview, see [What is a Managed Instance](sql-database-managed-instance.md)
68
68
- For more information about VNet configuration, see [Managed Instance VNet Configuration](sql-database-managed-instance-vnet-configuration.md).
69
-
- For a quick start see how to create Managed Instance:
69
+
- For a quickstart see how to create Managed Instance:
70
70
- from the [Azure Portal](sql-database-managed-instance-create-tutorial-portal.md)
71
71
- using [PowerShell](https://blogs.msdn.microsoft.com/sqlserverstorageengine/2018/06/27/quick-start-script-create-azure-sql-managed-instance-using-powershell/)
72
72
- using [Azure Resource Manager template](https://azure.microsoft.com/resources/templates/101-sqlmi-new-vnet/)
0 commit comments